[Chugalug] Access Control for LAMP

Mike Harrison cluon at geeklabs.com
Fri Oct 5 17:36:52 UTC 2012



1. using .htaccess files is a crude and nasty nasty way to do this.
    Works, but even I stopped doing in circa 199x?

2. Basic/Simple auth over SSL (never plain text/http) is a
    great first step.

-1. Session ID based auth can be snarfed, captured, abused.
     I actually do this with permission on a couple of "smart grid"
     systems faking logins, getting the cookies, and then
     abusing that credential. My fear is that it is snarfable from
     user space in a browser (cookies) and is not rechecked for
     validity. I have seen systems where the cookie is good for days+
     even after the user has been denied access or had permissions/access
     changed.


As this is SSO across multiple apps/(possibly servers) the trick is the
ability to modify code in each system to support whatever it is you do do.
A central system could easily be used to provide auth services
if you can modify or hock into the current systems.

kewl thing about basic auth, if done right, the can auth at one level
and it will maintain their creds "down the path" in the browser.

ie: login/auth first at:  https://acme.foo.com/app

acme as a hostname is the hostname, and could relate to a customer 
grouping or not. we use this a lot to group customers, manage look and 
feel, etc.. /app is a common top level directory. You can also
auth at the root of the hostname.

Then that exact same set of credentials is automagically used
for everything at that level or below:

https://acme.foo.com/app/widgets/....  <- seperate app
https://acme.foo.com/app/cogs/....     <- seperate app
https://acme.foo.com/app/sprockets/..  <- seperate app

The trick is making each app do basic auth, and possibly use a common 
database for each. Or you can proxy that auth to the top level app.





============================================================
Mike Harrison   bogon at geeklabs.com  cell: 423.605.6943

On Fri, 5 Oct 2012, Eric Wolf wrote:

> OMG! An honest-to-goodness Linux related post to CHUGALUG!
> A client of mine has a series of LAMP applications running on the same server. They currently manage access control
> through separate htaccess files and giving out the URLs on a per customer basis. 
> 
> I need to implement a unified login across all their apps but it would be nice to not have to modify a bunch of code.
> Ideally, the system would have a central username/password (maybe even OpenID) and present a menu of apps available to
> that user. Access to the other apps not available to the user would be restricted even if the user worked out the URL.
> 
> The solution needs to pass basic security audits by IT flunkies at reasonably large non-tech companies.
> 
> Any thoughts? Tricks? Etc?
> 
> -Eric
> 
> -=--=---=----=----=---=--=-=--=---=----=---=--=-=-
> Eric B. Wolf                           720-334-7734
> 
> 
> 
> 
>


More information about the Chugalug mailing list